You are here

EHCP Apache suexec or suPHP Support

Submitted by own3mall on Sat, 08/06/2011 - 08:29

First off, I lack the expertise to implement this feature or even begin to configure it. In fact, I hardly understand it myself, but it would seem that using the suPHP module alongside apache would yield the most secure and ideal setup for a webserver. Thus, this is an extremely low priority feature request, and I don't know if it's needed or not.

From my understanding, suPHP allows users to OWN only their virtual host directories allowing them access and full ownership over their files. With this setup, it allows users to be able to write files into their owned directories without chmodding them to 777. Currently, when files are uploaded via the EHCP setup, they are all owned by vsftpd and belong to the group of nobody. Thus, if one user is hacked, since the files are owned by vsftpd, everyone's files are hacked. Also, some scripts do not play nicely in terms of modifying / uploading files if they are owned by another user.

Quote from suPHP experts:

If suphp or suExec is installed and configured properly on your web server, then all the files in your directory should belong to you, and the webserver will be able to read and write any files you can read and write. When the webserver creates a file in your directory, it belongs to you. In this case, only the file's owner needs permission to write to files and execute directories. CHMOD permission of 644 for files (owner:read+write, group:read, world: read) and 755 for directories (add the ability to "execute" directories) will be sufficient.

When web hosts don't use suphp or suExec:

In this case, you still own files you create using ftp. Every time you use ftp to copy files to the server, they belong to you. But the webserver on these hosts does not run as you. It may run as "nobody", or else as a special username, perhaps "www-data" -- users who don't belong to the same group as your username does. This means that the webserver will not be able to write files in your directories unless you grant world write permission to your files and directories (chmod 777 for directories, 666 for files). Any new files created don't belong to you. That means that, if you are going to need to work with them later, you'll need to make these files world-writable, and directories world-executable, so that you can edit the webserver's files or delete them from webserver-created directories.